Index: lams_central/conf/security/Owasp.CsrfGuard.properties
===================================================================
diff -u -r81dd463b85273eb0154d89ef7694101de563197b -rfea3637199c74851ed7a8fa620da1ccb898be819
--- lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 81dd463b85273eb0154d89ef7694101de563197b)
+++ lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision fea3637199c74851ed7a8fa620da1ccb898be819)
@@ -56,6 +56,9 @@
 
 org.owasp.csrfguard.protected.sbmtDefineLater=/lams/tool/lasbmt11/authoring/definelater.do
 org.owasp.csrfguard.protected.sbmtSubmissionDeadline=/lams/tool/lasbmt11/monitoring/setSubmissionDeadline.do
+org.owasp.csrfguard.protected.sbmtUpdateMark=/lams/tool/lasbmt11/mark/updateMark.do
+org.owasp.csrfguard.protected.sbmtReleaseMarks=/lams/tool/lasbmt11/monitoring/releaseMarks.do
+org.owasp.csrfguard.protected.sbmtDownloadMarks=/lams/tool/lasbmt11/monitoring/downloadMarks.do
 
 org.owasp.csrfguard.protected.scribeDefineLater=/lams/tool/lascrb11/authoring/definelater.do
 org.owasp.csrfguard.protected.scribeAppointScribe=/lams/tool/lascrb11/monitoring/appointScribe.do
Index: lams_tool_sbmt/src/java/org/lamsfoundation/lams/tool/sbmt/web/controller/MarkController.java
===================================================================
diff -u -r7694dd245cc58c5b7beb2348aaefb2762c47dc8d -rfea3637199c74851ed7a8fa620da1ccb898be819
--- lams_tool_sbmt/src/java/org/lamsfoundation/lams/tool/sbmt/web/controller/MarkController.java	(.../MarkController.java)	(revision 7694dd245cc58c5b7beb2348aaefb2762c47dc8d)
+++ lams_tool_sbmt/src/java/org/lamsfoundation/lams/tool/sbmt/web/controller/MarkController.java	(.../MarkController.java)	(revision fea3637199c74851ed7a8fa620da1ccb898be819)
@@ -47,6 +47,7 @@
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 
 /**
  * @author lfoxton
@@ -65,7 +66,7 @@
     /**
      * Update mark.
      */
-    @RequestMapping("/updateMark")
+    @RequestMapping(path = "/updateMark", method = RequestMethod.POST)
     public String updateMark(@ModelAttribute MarkForm markForm, HttpServletRequest request)
 	    throws InvalidParameterException, RepositoryCheckedException {
 
Index: lams_tool_sbmt/src/java/org/lamsfoundation/lams/tool/sbmt/web/controller/MonitoringController.java
===================================================================
diff -u -r1beaa4cc5e224dd433297d543c5511234c0bfc10 -rfea3637199c74851ed7a8fa620da1ccb898be819
--- lams_tool_sbmt/src/java/org/lamsfoundation/lams/tool/sbmt/web/controller/MonitoringController.java	(.../MonitoringController.java)	(revision 1beaa4cc5e224dd433297d543c5511234c0bfc10)
+++ lams_tool_sbmt/src/java/org/lamsfoundation/lams/tool/sbmt/web/controller/MonitoringController.java	(.../MonitoringController.java)	(revision fea3637199c74851ed7a8fa620da1ccb898be819)
@@ -264,7 +264,7 @@
     /**
      * Release mark
      */
-    @RequestMapping("/releaseMarks")
+    @RequestMapping(path = "/releaseMarks", method = RequestMethod.POST)
     @ResponseBody
     public void releaseMarks(HttpServletRequest request, HttpServletResponse response) {
 
@@ -276,7 +276,7 @@
     /**
      * Download submit file marks by MS Excel file format.
      */
-    @RequestMapping("/downloadMarks")
+    @RequestMapping(path = "/downloadMarks", method = RequestMethod.POST)
     public void downloadMarks(HttpServletRequest request, HttpServletResponse response) {
 
 	Long sessionID = WebUtil.readLongParam(request, AttributeNames.PARAM_TOOL_SESSION_ID);
@@ -581,4 +581,4 @@
 	request.setAttribute("sessions", sessions);
     }
 
-}
\ No newline at end of file
+}
Index: lams_tool_sbmt/web/monitoring/mark/updatemark.jsp
===================================================================
diff -u -raced7ba6c1e7c5a9a50d3f64d8cdd96dd7e76194 -rfea3637199c74851ed7a8fa620da1ccb898be819
--- lams_tool_sbmt/web/monitoring/mark/updatemark.jsp	(.../updatemark.jsp)	(revision aced7ba6c1e7c5a9a50d3f64d8cdd96dd7e76194)
+++ lams_tool_sbmt/web/monitoring/mark/updatemark.jsp	(.../updatemark.jsp)	(revision fea3637199c74851ed7a8fa620da1ccb898be819)
@@ -55,9 +55,9 @@
 <body class="stripes">
 <c:set var="title"><fmt:message key="label.monitoring.updateMarks.button" /></c:set>
 <lams:Page title="${title}" type="monitor">
-
+<c:set var="csrfToken"><csrf:token/></c:set>
 		<c:forEach var="fileInfo" items="${report}" varStatus="status">
-			<form:form action="updateMark.do" method="post" modelAttribute="markForm" id="updateMarkForm" enctype="multipart/form-data" onsubmit="return validate();">
+			<form:form action="updateMark.do?${csrfToken}" method="post" modelAttribute="markForm" id="updateMarkForm" enctype="multipart/form-data" onsubmit="return validate();">
 			
 				<form:hidden path="toolSessionID" />
 				<form:hidden path="reportID" />
@@ -158,4 +158,4 @@
 <div id="footer"></div>
 </lams:Page>
 </body>
-</lams:html>
\ No newline at end of file
+</lams:html>
Index: lams_tool_sbmt/web/monitoring/parts/summary.jsp
===================================================================
diff -u -r1beaa4cc5e224dd433297d543c5511234c0bfc10 -rfea3637199c74851ed7a8fa620da1ccb898be819
--- lams_tool_sbmt/web/monitoring/parts/summary.jsp	(.../summary.jsp)	(revision 1beaa4cc5e224dd433297d543c5511234c0bfc10)
+++ lams_tool_sbmt/web/monitoring/parts/summary.jsp	(.../summary.jsp)	(revision fea3637199c74851ed7a8fa620da1ccb898be819)
@@ -128,7 +128,8 @@
 		$("#messageArea_Busy").show();
 		
 		$.ajax({
-			url: "<c:url value="/monitoring/releaseMarks.do"/>",
+            type: 'POST',
+			url: "<c:url value="/monitoring/releaseMarks.do"/>?<csrf:token/>",
 			data: {
 				toolSessionID: sessionId, 
 				reqID: (new Date()).getTime()
@@ -204,7 +205,8 @@
 				<fmt:message key="label.monitoring.releaseMarks.button" />
 			</button>
 		</c:if>
-		<form action="downloadMarks.do" method="post" style="display:inline">
+        <c:set var="csrfToken"><csrf:token/></c:set>
+		<form action="downloadMarks.do?${csrfToken}" method="post" style="display:inline">
 			<input type="hidden" name="toolSessionID" value="${sessionDto.sessionID}" />
 			<input type="submit" name="downloadMarks" value="<fmt:message key="label.monitoring.downloadMarks.button" />" class="btn btn-default loffset5 voffset10" />
 		</form>